Risk techniques are used in the identification, assessment and response planning steps of the risk management procedure shown below:
Few of the techniques described are unique to P3 management but they are all tailored and applied to suit the P3 context.
Identification draws on many different sources of information. All the other P3 management functions will generate risk related information and there are techniques in their procedures that are, in effect, about risk management. For example:
Stakeholder management identifies stakeholders who may be unwilling to support the objectives and may even oppose them. This is a form of risk management as applied to people with influence over the objectives.
Schedule management may identify estimating uncertainties and address these through scheduling techniques such as Monte Carlo or critical chain.
Financial management may similarly identify estimating uncertainties in cost forecasts and accommodate these through contingency and management reserves.
Risk identification needs to acknowledge these elements of risk, integrate with the other functions and pick up all other sources of risk.
Many identification techniques represent different ways of extracting risk related information from people who have knowledge of the work and its context. This can be on a one-to-one basis or in groups in risk workshops.
Individuals with specific knowledge or expertise may be interviewed, while groups can be brought together for brainstorming sessions or co-ordinated using the Delphi technique.
The use of information from previous projects, programmes and portfolios should never be overlooked and involves looking at lessons learned reports and archived risk registers. In more mature organisations these may have been collated and structured in the form of checklists and prompt lists as part of a knowledge management system.
Techniques for assessing risk are generally divided into qualitative and quantitative although the line distinguishing the two is sometimes blurred.
Qualitative risk assessment focuses on individual risk events and is primarily based on educated opinion and expert judgement. Qualitative techniques are based on two properties of a risk event: its probability (or the likelihood that it will happen) and its impact on the objectives if it does happen. It is because these properties are difficult to quantify, and often subjective, that techniques based on probability and impact are known as qualitative.
Some approaches to probability-impact assessment introduce increasingly quantitative elements until they potentially produce overtly quantitative data such as expected value. While this is very useful for calculating contingency reserves it should never be forgotten that it is based on qualitative data.
Quantitative risk assessment focuses more on uncertainty and estimating uncertainty in particular. Typical quantitative techniques for addressing uncertainty in schedule and/or cost estimating include PERT, Monte Carlo and sensitivity analysis.
Quantitative techniques can also be used to assess different courses of action that include uncertain external influence. Decision trees can be used to quantitatively compare the effect of a series of events happening or not happening. This can be particularly useful in assessing secondary, or even tertiary, risks and influence the decisions taken in risk response planning.
The principles of response planning are very similar for all types of risk, whether it be general uncertainty, specific risk events (threats or opportunities).
Possible risk responses for threats are to avoid, reduce, transfer or accept them. These act differently on the probability that a risk will occur as opposed to the impact it will have on objectives. If the risk event is an opportunity, the possible responses are to exploit, enhance, share or reject it. The two sets of responses are fundamentally the same, but tailored to minimise the detrimental effect of a threat or maximise the beneficial effect of an opportunity.
Projects, programmes and portfolios
Problems with managing risk can sometimes be incorrectly attributed to the use of risk techniques.
A common fault is to employ overly sophisticated techniques to address perceived shortcomings when the real problem lies in understanding the risk context.
Qualitative risk techniques are generally applicable and scalable to all levels of project, programme and portfolio complexity. A basic risk register as applicable to a simple project can be extended with increasing amounts of information to suit more complex projects.
A small project will make use of probability-impact analysis but is unlikely to warrant quantitative techniques which require significant effort to use correctly.
Larger, more complex projects will include significant levels of uncertainty. Perhaps as a simple accumulation of estimating uncertainty or perhaps because of the use of innovative technology.
Even work that uses established technology may be a source of great uncertainty if it is being used in an unusual context or if the delivery teams have no relevant experience. These situations can make good use of techniques such as Monte Carlo, especially since computer software makes these high volume calculations so much easier.
The main issue that management teams may face when using statistical techniques is communicating the results to stakeholders. When a stakeholder askes the question “when will my product be delivered?” they anticipate an answer like “on the 12th February” not “there’s a 50% chance it will be by the 12th February and a 95% chance it will be by 21st March”.
Stakeholder management needs to decide how such information will be communicated. How easy this is provides a good indication of the maturity of the organisation.
The risk management plan for programmes and portfolios will outline the use of techniques in its component projects, programmes and change management activity. It is important to set guidelines that ensure consistency. Without consistency, it is difficult to aggregate risk from the component parts to get a value for the overall risk of the programme or portfolio.
All identification and response techniques are applicable generally, but it is impractical to apply some quantitative assessment techniques, e.g. network based Monte Carlo analysis, at the consolidated level.
Portfolios will establish common guidelines for using risk management techniques but are also able to develop longer-term attitudes and behaviour that ensure that they are used appropriately.
Structured portfolios are directly affected by the external environment. They need to identify risks from the broadest range of sources and may utilise techniques such as PESTLE to assess the external sources of risk to the strategic objectives they are designed to achieve.